This pages lists some of the many security-related projects that the Computer Science Laboratory has participated in.

Event Monitoring Enabling Responses to Anomalous Live Disturbances This DARPA project represents the next generation in the series of IDES/NIDES projects, specifically addressing network misuse. EMERALD is now a part of the System Design Laboratory, and is run by Phil Porras.

Secure Networking

Secure Asynchronous Transfer Mode (ATM) Networks. This project studies issues of security in ATM networks and of how to modify current ATM protocols to handle security. Initial study completed in 1994. The current phase is to develop secure ATM signalling protocols, among other things. A paper was presented at IEEE Globecom '95. [Gong and Shacham]
Trusted Multicast. This project is to develop architectures and protocols for building secure multicast facilities in environments such as the Internet. Mobility issues are also considered. A paper appeared at IEEE ICNP-94 (October 1994) and has been revised and extended and published in ACM Journal on Wireless Systems (1995). [Gong and Shacham]
Network Authentication. A continuing effort to design new network authentication and key distribution protocols. The most recent result is a technique -- using polynomial interpolation and (secure keyed) one-way hash functions, instead of conventional encryption algorithms (such as DES or RSA) -- for building fast authentication protocols. A paper appeared at ACM CCS2 (November 1994). [Gong]

Secure Distributed Systems and Databases

Enclaves: a Secure Group Platform for the Internet. We are currently designing and developing a desk-top collaboration environment that enforces security controls over participation and activities (including selective access to data/files). The resulting system will also support secure group-oriented applications (including secure collaboration), multimedia and mobility, and have notarization capability.
Enclaves 1.0 has been designed, implemented, and demonstrated. It currently runs over Unix on SunOS, Solaris, and also Linux on Intel PCs. A CSL report on Enclaves is currently in review, authored by Steve Keung and Li Gong. [Gong]
Secure Interoperability. Sponsored by ARPA and Air Force Rome Laboratory, we are developing techniques for the automated semantic interoperation of heterogeneous multilevel databases containing data that mismatch in security semantics and policy. Currently we are formulating a taxonomy of heterogeneity in multilevel security semantics and policy, formalizing the security semantics of multilevel relational databases. We will also develop techniques for the detection of inference channels in the semantic interoperation of heterogeneous multilevel databases. [Qian and Gong]
SDTP: An Open Standard for Secure Distributed Transaction Processing. The objective of this project (which starts in October 1995) is to develop an open architectural standard for secure distributed transaction processing (SDTP). The standard will show how multiple application programs can share resources securely while coordinating their work into concurrent transactions that appear to be atomic. The proposed open standard will consist of a reference architecture, several reference designs, and several reference implementations. The SDTP reference architecture will be an extension of the X/Open distributed transaction processing (DTP) standard that enforces multilevel security. It will be precise, executable, and compact --- building on our existing formalization of the X/Open DTP standard in the Rapide architecture prototyping language. The SDTP reference designs will describe common single-level and multilevel configurations. For example, a given configuration may have a multilevel application running on single-level resource managers. We are aware of no reference designs for existing standards. They are used to bridge the gap between the reference architecture and a reference implementation. With this connection, production implementations can be developed faster and validated more easily and reliably. An SDTP reference implementation will be developed for each reference design. The implementations will be written in ANSI C source code, which can be compiled on a variety of platforms and operating systems and linked into application programs. Remote communication will be through an emerging open standard for secure socket-level communication. The three-tiered standard will be validated by a combination of formal proof and simulation. A demonstration instance of the SDTP standard will be developed to contain resource managers that involve single- and multilevel, off-the-shelf databases, a multilevel transaction manager. [Mark Moriconi and others.]
Security Policy for Adaptive Systems. This effort is to develop a framework within which multiple system requirements (such as security, availability, fault tolerance, real time) that are often desirable for critical applications can be expressed coherently and necessary trade-offs be made. [Lunt and Gong]

Other Computer Security Issues

A lot of research issues pop up now and then in the SRI CSL security group, including secure labelling (papers appeared in IEEE Transaction on Knowledge and Data Engineering (1995), and IEEE Symposium on Security and Privacy (1996), and collisionful keyed one-way hash functions (paper appeared in Information Processing Letters, 1995). [Gong and Qian]

Provably Secure Operating System PSOS (system design 1973-80, with ongoing research and analysis through 1983, DoD). PSOS was a hierarchically-structured capability-based operating system design in which each layer manages objects of a particular type and each object in the system is accessed by the presentation of a capability for that object. (It seems to have been the first strongly-typed object-oriented operating system, although that paradigm did not exist explicitly at the time.) SRI developed a unique tagged-capability hardware design to support this general capability concept. PSOS was one of the first to advocate and demonstrate the application of hierarchical design and the use of formal techniques to secure operating systems. The Honeywell Secure Ada Target (SAT) and LOCK (LOgical Coprocessor Kernel) and subsequent Secure Computing Corporation Sidewinder systems emerged from follow-on projects that were originally based on the PSOS conceptual design. (This is clearly an example of George Washington's original ax, with various new blades and new handles.)
The PSOS umbrella also supported CSL's early work on Information Flow. Given the HDM SPECIAL specifications for a security kernel, Rich Feiertag's flow analyzer (report CSL-109) produced would-be theorems that were fed to the Boyer-Moore theorem prover. This approach was used to analyze the multilevel security of KSOS (Ford Aerospace's Kernelized Secure Operating System), and found security flaws and covert channels in 16 of the 34 kernel functions. (The generation of would-be theorems and their proof efforts took 2.5 hours to run.)
Also under the PSOS project aegis, Goguen and Meseguer wrote and published the much cited pair of papers on noninterference and unwinding for the 1982 and 1984 IEEE Symposiums on Security and Privacy, Oakland, California. Their security model has been the basis for much later work elsewhere, including restrictiveness (nondeterministic noninterference). In addition, the early work on EHDM and its new specification language Revised Special began under the PSOS rubric.
SeaView (1984-93, USAF Rome Laboratory). The SeaView project designed a multilevel secure relational database system that could meet the criteria for Class A1. Its significant innovation was in relying on an A1 trusted computing base for DB multilevel security in such a way that no MLS trustworthiness was required of the DBMS. The project produced a security policy and interpretation, a multilevel relational data model that defines extensions to the standard relational model to specifically accommodate element labels, a formal security policy model, formal top-level specifications, implementation specifications, and a prototype system using a single-level Oracle DBMS on top of the Sun Compartmented Mode Workstation. (The originally subcontracted A1 MLS TCB did not materialize.) A formal specification of the security rules and the operations of the multilevel query language, MSQL, was produced using the EHDM formal specification language. Further extensions involved real time and distributed DBs.
Secure Alpha Real-Time Distributed Operating System (1991-93, Rome Lab). This project produced a security policy, formal model, descriptive top-level specifications, a high-level design, and demonstration system for a B3 MLS real-time operating system. Tradeoffs between security and real-time requirements were identified. Ways to control the scheduling covert channel, the malicious assertion of scheduling information, and thread fragmentation were examined.
Misuse and anomaly detection. Beginning in 1983, we have developed a series of real-time intrusion detection systems (IDES, NIDES, and now EMERALD). IDES (Intrusion-Detection Expert System) and NIDES (Next-Generation IDES) run on Sun workstations and monitor user activity in real time, adaptively learning user behavior patterns and detecting abnormal behavior and suspicious events, using both an expert system and statistical analysis. The rule-based system seeks the occurrence of events known to be suspect, whereas the statistical component seeks to identify statistically significant deviations from expected normal behavior. NIDES is able to monitor a variety of platforms, and has been applied to Unix workstations, Trusted XENIX personal computers, and various logs on IBM mainframes; it features a generic audit-record format applicable to diverse audit data sources and monitored machine types. The NIDES effort also included work on a new security officer interface that provides extensive on-line help, novice and expert capabilities, and protected roles for security officer, rule-base maintainer, and NIDES configuration analyst. The current DARPA project (EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances) extends IDES and NIDES concepts to networks. The EMERALD web page gives more detail on CSL's past work in intrusion detection (http://www.csl.sri.com/intrusion.html).
Safeguard (subcontract from Trusted Information Systems, 1993). NIDES was used to profile the behavior of system applications (rather than individual users). This work demonstrated how profile explosion and scalability problems can be overcome, while greatly reducing the false-positive and false-negative rates. This work has provided some very useful background for EMERALD.
TACAUD (mid-1980s, DCA/DISA). SRI (the NIC and CSL) developed TACAUD, an audit-trail analyzer for TAC logins on MILNET/ARPANET, for both live and after-the-fact detection.
Inference Control (ARPA, Rome Lab). CSL developed a graphical tool for detecting and removing specific types of inference problems in an MLS DBMS. This tool could be used by a data designer to analyze a candidate database schema for potential inference problems. It provides interactive facilities for graphical representation of an MLS DBMS schema, recognizing paths from low to high information, and suggesting methods for eliminating inference paths.
Preventing Security Misuse in Distributed Systems (1990-92, Rome Lab). Among other things, this project explored an MLS architecture with no MLS end-user systems, only MLS servers, avoiding user-related covert channels. It would be easy to implement. (Norm Proctor and Peter Neumann, Architectural Implications of Covert Channels, 1992 National Computer Security Conf.)
Architectures and Formal Representations for Secure Systems (1995-96, DoD, R2SPO). This project considered what formal methods and strong architectures can do for security and vice versa, particularly in distributed systems. See SRI-CSL-96-05, May 1996.
See the web pages for the Formal Methods program for further research efforts on formally specifying and proving security related properties.